Description
For simple architecture (without Vault or Amazon KMS, ...) the list of secrets have to be written down somewhere.
Could be file/env variables on the host server or in config files of deployment tool like ansible/puppet/docker/kubernetes...
The application end up with 2 repository to synchronize. In the worse case, the secrets are pushed along side the code (and sadly, many time in the parameters.yml itself)

The purpose of this RFC is to expose a simple way for developers to safely commits secrets and simplifying deployments.

Based on asymmetric encryption, a public key could be committed in the project which allow developers to generate new encrypted secrets.
Deployments, "just" have to deploy the private key

Nothing to synchronize anymore, adding/updating a secret does not requires to register this value of that secret in a dedicated tool.

Example

$ ./bin/console secret:encrypt "foo bar"
MIIBoQYJKoZIhvcNAQcDoIIBkjCCAY4CAQAxg...

# services.yaml
parameters:
  default_jwk: '%env(json:APP_JWK)%' # This variable contains the private key used to decrypt secrets
  # default_jwk: '%env(json:file:APP_JWK_FILE)%' # with APP_JWK_FILE=/opt/application/.jwk.json

# config/packages/prod/doctrine.yaml
parameters:
  env(DATABASE_PASSWORD): 'MIIBoQYJKoZIhvcNAQcDoIIBkjCCAY4CAQAxg...'
  database_password: '%env(decrypt:default_jwk:DATABASE_PASSWORD)%'